-
Notifications
You must be signed in to change notification settings - Fork 214
LDAP Injection
This guide demonstrates how to exploit the LDAP Injection vulnerability in the User Search feature.
The application simulates an LDAP-based user search endpoint (/api/v2/users/ldap-search). The backend constructs an LDAP filter string by directly concatenating the user input without sanitization:
const filter = "(uid=" + user + ")";This allows an attacker to inject LDAP filter operators (like *, ), () to alter the query logic, bypass access controls, or retrieve information about other users.
An attacker wants to enumerate all users in the directory or extract attributes of a specific user (like "admin") even if they don't know the exact username.
-
URL:
/api/v2/users/ldap-search - Method: GET
-
Parameter:
user
The * character in LDAP acts as a wildcard. By injecting it, we can search for "all users".
*
- Send a GET request:
http://dvws.local/api/v2/users/ldap-search?user=* -
Result: The application returns a list of all users (e.g., "admin", "guest", "manager") because the filter becomes
(uid=*).
This attack attempts to inject additional conditions into the filter to verify attributes or bypass checks.
admin)(objectClass=*
- Send a GET request:
http://dvws.local/api/v2/users/ldap-search?user=admin)(objectClass=* -
Logic:
- The code constructs:
(uid=+admin)(objectClass=*)+) - Resulting Filter:
(uid=admin)(objectClass=*) - (Note: The trailing
)from the code is ignored or treated as part of the structure depending on LDAP server, or balanced if we inject open parenthesis).
- The code constructs:
-
Result: The application returns the "admin" user object, but critically, it reveals hidden attributes (like
email,guid,description) that are not normally visible in a standard search.
- Information Disclosure: Attackers can enumerate users and extract sensitive internal attributes (GUIDs, emails, notes).
-
Authentication Bypass: In some scenarios (not this one), injecting
)(|could bypass login checks. - Logic Manipulation: Altering the query logic to access unauthorized records.
To prevent LDAP Injection, all user input used in LDAP filters must be properly escaped (e.g., encoding ( as \28, ) as \29, * as \2a, etc.) using a library designed for LDAP encoding.
- XML External Entity Injection
- Server Side Request Forgery (SSRF)
- Username Enumeration
- NoSQL Injection
- Insecure Direct Object Reference
- Mass Assignment
- Cross Site Scripting (XSS)
- Hidden API Functionality Exposure
- SQL Injection
- Information Disclosure
- Insecure PostMessage Configuration
- Command Injection
- Prototype Pollution
- JSON Hijacking
- XPath Injection
- Cross Origin Resource-Sharing Misonfiguration
- JWT Secret Key Brute Force
- Vertical Access Control
- Horizontal Access Control
- Open Redirect
- Path Traversal
- Unsafe Deserialization
- Sensitive Data Exposure
- Arbitrary File Write
- Introspection Enabled
- GraphQL Access Control Issues
- GraphQL Batching Brute Force
- API Endpoint Brute Forcing
- CRLF Injection
- XML Injection
- XML Bomb Denial‐of‐Service
- SOAP Injection
- JSON CSRF
- LDAP Injection
- Rate Limit Bypass
- Client Side Template Injection